Since the value of Monero cryptocurrency has risen almost three times, it is not a surprise that VenusLocker[1] developers switch their tactics to gain more profits — hackers distribute Monero-mining malware. On December 20, the researchers have spotted a new malspam campaign targeting South Korean people.

VenusLocker ransomware authors spread two versions of fake emails containing the miner XMRig v2.4.2 to exploit the victimized computers' power[2]. One of the letters claims to come from popular online South Korean e-shop and informs about the fake consumer data breach.

Another one says that the recipient's website is using the images without author's permission and is legally liable for it. Likewise, both of the emails urge to open the attachment for further details[3]. Unfortunately, once it is opened, the computer is being infected with Monero-mining malware.

Even though under normal circumstances the mining application is entirely legitimate, the compromised attachments held a pre-configured version of it to deliver cryptocurrency to the VenusLocker hacker group.

The peculiarities of the cyber attack

According to the analysis, criminals use EGG archive format in the phishing emails which indicates that they mainly target only people from South Korea[4]:

Files attached to these malicious emails are compressed in EGG archive format, which is not very common. However, this archive format is less likely to be uncommon for the intended targets, since it is a proprietary format developed by the South Korean software development company ESTsoft.

They also create genuine-looking icons and file extensions which disguise as documents and images to lure inexperienced computer users into opening the malicious attachments.

Moreover, mining cryptocurrency despite it is Bitcoin or Monero, requires high CPU power. Likewise, the crooks designed the malware to operate under legitimate Windows process — wuapp.exe. To avoid any suspicions, they even execute it beforehand.

Metadata analysis points straight to the authors of VenusLocker virus

Malware researcher, Joie Salvio, that this cyber attack employs the same scheme as VenusLocker in the past:

Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign.

IT specialists believe that VenusLocker developers switched to mining cryptocurrency since Monero algorithm is designed for regular computers and does not require any Application-Specific Integrated Circuits (ASICs) or high-end GPUs unlike Bitcoin[5].

About the author

Lucia Danes
- Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.